Differences between version 3 and predecessor to the previous major change of KeySigningScripts.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Sunday, May 14, 2006 1:24:19 pm | by CraigBox | Revert |
| Older page: | version 2 | Last edited on Wednesday, March 2, 2005 11:17:17 pm | by StuartYeates | Revert |
@@ -12,4 +12,88 @@
* cabot by Ian Jackson, Joost van Baal, Laurent Fousse and Peter Palfrader in [Perl] [ref|http://cabot.alioth.debian.org/].
If you use one of these scripts, please add comments / opinions.
+
+----
+!!Simple keysigning with caff on Ubuntu:
+
+Caff is a script written to assist with Debian keysignings. I used this to sign all the keys I sighted at Linux.conf.au 2006.
+
+! Installing
+
+Install some packages: <tt>apt-get install signing-party gpg-agent pinentry-gtk2</tt>
+
+signing-party contains caff and some other useful scripts. gpg-agent allows you to save your passphrase in memory for a short period, and thus not type it in on every key you sign.
+
+I've specified pinentry-gtk2 here, but curses might work for you if you don't have X on the machine you are using or prefer the console.
+
+! Setting up your keysigning files
+
+Generate a list of all the keys you need to sign, one per line. The keylist.txt that you printed and used to tick off IDs on is a good place to start. I went through the list, grepped out only the lines with 'pub' on them, and then removed the ones I didn't want to sign. I then checked them all, confirming I had the right keys, and used some RegularExpression~s to cut out only the 8-digit key fingerprint, so I had a file that looked like this:
+
+<pre>
+ABCD1234
+DBF5ED67
+DEADBEEF
+</pre>
+
+Configure a couple of things:
+
+; ~/.caff/gnupghome/gpg.conf : Add <tt>use-agent</tt> so caff will use gpg-agent (note, caff uses its own GPG environment files)
+; ~/.gnupg/gpg-agent.conf : <tt>default-cache-ttl 600</tt><br><tt>pinentry-program /usr/bin/pinentry-gtk-2</tt> (change for the correct pinentry program)
+; ~/.caffrc : add <tt>$CONFIG{'gpg-sign-args'} = "save";</tt> (as per /usr/share/doc/signing-party/caff/README.many-keys)
+
+!A short aside for Ubuntu/Postfix users
+
+If you're running a default Ubuntu insatllation, your MTA is [Postfix]. This setup will generae e-mail with envelope headers from username@localhost.localdomain (which is bad - lots of hosts on the Internet will drop the messages as the domain isn't real). You should fix the config before you proceed. I fixed it by adding <tt>smtp_generic_maps = hash:/etc/postfix/generic</tt> to /etc/postfix/main.cf, and creating an /etc/postfix/generic file like so:
+
+<pre>
+crb@localhost.localdomin craig@example.org
+</pre>
+
+I then had to run <tt>postmap /etc/postfix/generic</tt>. It might also be appropriate to make Postfix send mail through a smarthost, as I had a few messages not deliver because I am on a [DSL] IP address.
+
+If I'd known this BEFORE running caff, I would have fixed it with <tt>apt-get install exim4</tt>. :)
+
+If any Postfix gurus read this, can they please tidy this section up?
+
+! Performing the signing
+
+Start gpg-agent: <tt>eval `gpg-agent --daemon`</tt>
+
+And start signing keys: <tt>caff -mR --key-file lca2006-keyring.gpg `cat keys-to-sign.txt`</tt>
+
+In this case, because I have a keyring file, I have specified -R - don't download from keyserver - which speeds this process up. -m specifies that I always want to send mail.
+
+Now, when you sign your first key, you will be asked for a passphrase, which will be kept in memory. You should only have to hit 'y' (to sign all keys) and 'y' (really sign), on each of your preprepared keys, to proceed.
+
+It is good form to be checking against your list as you go, even at this point.
+
+caff will then mail out on your behalf a message like this:
+
+<pre>
+Hi,
+
+please find attached the user id
+Hi,
+
+please find attached the user id.
+ Pie Man <pieman@example.org>
+of your key DEADBEEFBAADF00D signed by me.
+
+Note that I did not upload your key to any keyservers.
+If you have multiple user ids, I sent the signature for each user id
+separately to that user id's associated email address. You can import
+the signatures by running each through `gpg --import`.
+
+If you want this new signature to be available to others, please upload
+it yourself. With GnuPG this can be done using
+ gpg --keyserver subkeys.pgp.net --send-key DEADBEEFBAADF00D
+
+If you have any questions, don't hesitate to ask.
+
+Regards,
+Key Signer
+</pre>
+
+Your work here is done.
